CISM Definitions

Question 1

_____ is a binary-to-text encoding process that converts long bit sequences into
alphanumeric text.

Answer 1

Base64 Encoding

Question 2

Description of the logical grouping of capabilities that manage the objects necessary to process
information and support the enterprise’s objectives.

Answer 2

Application architecture

Question 3

A tool for managing organizational strategy that uses weighted measures for the areas of financial
performance (lag) indicators, internal operations, customer measurements, learning and growth
(lead) indicators, combined to rate the enterprise

Answer 3

Business balanced scorecard

Question 4

An application software deployed at multiple points in an IT architecture. It is designed to detect and
potentially eliminate virus code before damage is done and repair or quarantine files that have
already been infected.

Answer 4

Antivirus software

Question 5

Logical and physical controls to define a perimeter between the organization and the outside world

Answer 5

Boundary

Question 6

Preventing, mitigating and recovering from disruption

Answer 6

Continuity

Question 7

The translation of the enterprise’s mission from a statement of intention into performance targets
and results

Answer 7

Business goal

Question 8

An algorithm to perform encryption

Answer 8

Cipher

Question 9

All devices (nodes) are linked along one communication line where transmissions are received by all attached nodes.

Answer 9

Bus configuration

Question 10

The technique used for selecting records in a file, one at a time, for processing, retrieval or
storage.The access method is related to, but distinct from, the file organization, which determines
how the records are stored.

Answer 10

Access Method

Question 11

_____ is a way to identify, acquire and retain customers. _____ is also an industry term for software solutions
that help an enterprise manage customer relationships in an organized manner.

Answer 11

Customer relationship management (CRM)

Question 12

Any process that directly reduces a threat or vulnerability.

Answer 12

Countermeasure

Question 13

An abnormal end to a computer job; termination of a task prior to its completion because of an error condition that cannot be resolved by recovery facilities while the task is executing.

Answer 13

Abend

Question 14

A mechanism that is used to isolate applications from each other within the context of a running
operating system instance.

Answer 14

Application containerization

Question 15

The examination of ratios, trends, and changes in balances and other values between periods to
obtain a broad understanding of the enterprise’s financial or operational position and to identify
areas that may require further or closer investigation

Answer 15

Analytical technique

Question 16

Automatic or manual process designed and established to continue critical business processes from point-of-failure to return-to-normal.

Answer 16

Alternative routing

Question 17

The process of cost allocation that assigns the original cost of an intangible asset to the periods benefited; calculated in the same way as depreciation.

Answer 17

Amortization

Question 18

A third party that delivers and manages applications and computer services, including security
services to multiple users via the Internet or a private network.

Answer 18

Application or managed service provider (ASP/MSP)

Question 19

Device that performs the functions of both a bridge and a router.

Answer 19

Brouter

Question 20

An internal computerized table of access rules regarding the levels of computer access permitted to logon ID and computer terminals. Also referred to as conrol tables

Answer 20

Access Control List (ACL)

Question 21

A program that translates programming language (source code) into machine executable instructions
(object code).

Answer 21

Compiler

Question 22

A method/process by which management and staff of all levels collectively identify and evaluate risk
and controls with their business areas. This may be under the guidance of a facilitator such as an
auditor or risk manager.

Answer 22

Control risk self-assessment

Question 23

The MOST important factor in planning for the long-term retention of electronically stored business records is to take into account potential changes in:
A. storage capacity and shelf life.
B. regulatory and legal requirements.
C. business strategy and direction.
D. application systems and media.

Answer 23

Answer : D
Explanation: Long-term retention of business records may be severely impacted by changes in application systems and media. For example, data stored in nonstandard formats that can only be read and interpreted by previously decommissioned applications may be difficult, if not impossible, to recover. Business strategy and direction do not generally apply, nor do legal and regulatory requirements. Storage capacity and
shelf life are important but secondary issues

Question 24

Developed by Robert S. Kaplan and David P. Norton as a coherent set of performance measures organized into four categories that includes traditional financial measures, but adds customer, internal business process, and learning and growth perspectives.

Answer 24

Balanced scorecard (BSC)

Question 25

A public algorithm that operates on plaintext in blocks (strings or groups) of bits

Answer 25

Cipher

Question 26

An internal computerized table of access rules regarding the levels of computer access permitted to
logon IDs and computer terminals.

Answer 26

Access control table

Question 27

A process for protecting very-high value assets or in environments where trust is an issue. Access to
an asset requires two or more processes, controls or individuals.

Answer 27

Compartmentalization

Question 28

A cipher technique in which different cryptographic keys are used to encrypt and decrypt a message

Answer 28

Asymmetric key (public key)

Question 29

A trusted third party that serves authentication infrastructures or enterprises and registers entities
and issues them certificates

Answer 29

Certificate (Certification) authority (CA)

Question 30

Evaluating the criticality and sensitivity of information assets. An exercise that determines the impact
of losing the support of any resource to an enterprise, establishes the escalation of that loss over
time, identifies the minimum resources needed to recover, and prioritizes the recovery of processes
and the supporting system

Answer 30

Business impact analysis/assessment (BIA)

Question 31

The process of establishing the effective design and operation of automated controls within an
application.

Answer 31

Application benchmarking

Question 32

The individual accountable for delivering the benefits and value of an IT-enabled business investment
program to the enterprise.

Answer 32

Business sponsor

Question 33

A method of user authentication that is carried out through use of the Challenge Handshake
Authentication Protocol (CHAP).

Answer 33

Challenge/response token

Question 34

An alternate facility to continue IT/IS operations when the primary data processing (DP) center is unavailable.

Answer 34

Backup center

Question 35

The system by which enterprises are directed and controlled. The board of directors is responsible for
the governance of their enterprise. It consists of the leadership and organizational structures and
processes that ensure the enterprise sustains and extends strategies and objectives.

Answer 35

Corporate Governance

Question 36

A public algorithm that supports keys from 128 bits to 256 bits in size

Answer 36

Advanced Encryption Standard (AES)

Question 37

The thorough analysis and significant redesign of business processes and management systems to
establish a better performing structure, more responsive to the customer base and market
conditions, while yielding material cost savings.

Answer 37

Business process reengineering (BPR)

Question 38

The policies, procedures, practices and organizational structures designed to provide reasonable
assurance that a business process will achieve its objectives.

Answer 38

Business process control

Question 39

The individual, group or entity that is ultimately responsible for a subject matter, process or
scope.

Answer 39

Accountable party

Question 40

The processes, rules, and deployment mechanisms that control access to the information systems, resources, and physical access to premises

Answer 40

Access Control

Question 41

The risk of reaching an incorrect conclusion based upon audit findings.

Answer 41

Audit risk

Question 42

A type of challenge-response test used in computing to ensure that the response is not generated by
a computer. An example is the site request for web site users to recognize and type a phrase posted
using various challenging-to-read fonts

Answer 42

Completely Automated Public Touring test to tell Computers and Humans Apart (CAPTCHA)

Question 43

A flag set in a packet to indicate to the sender that the previous packet sent was accepted correctly
by the receiver without errors, or that the receiver is now ready to accept a transmission.

Answer 43

Acknowledgment (ACK)

Question 44

This approach allows IS auditors to monitor system reliability on a continuous basis and to gather
selective audit evidence through the computer.

Answer 44

Continuous audit approach

Question 45

Process of developing advance arrangements and procedures that enable an enterprise to respond to
an event that could occur by chance or unforeseen circumstances.

Answer 45

Contingency Planning

Question 46

The highest ranking individual in an enterprise

Answer 46

Chief executive officer (CEO)

Question 47

The policies, procedures, practices and organizational structures designed to provide reasonable
assurance that the business objectives will be achieved and undesired events will be prevented or
detected.

Answer 47

Business control

Question 48

An IS backup facility that has the necessary electrical and physical components of a computer facility,
but does not have the computer equipment in place.

Answer 48

Cold site

Question 49

The individual primarily responsible for managing the financial risk of an enterprise.

Answer 49

Chief financial officer (CFO)

Question 50

Which of the following is the BEST method or technique to ensure the effective
implementation of an information security program?
A. Obtain the support of the board of directors.
B. Improve the content of the information security awareness program.
C. Improve the employees’ knowledge of security policies.
D. Implement logical access controls to the information systems.

Answer 50

Answer : A
Explanation: It is extremely difficult to implement an information security program without the aid and support of the board of directors. If they do not understand the importance of security to the achievement of the business objectives, other measures will not be sufficient. Options B and (‘ are measures proposed to ensure the efficiency of the information security program implementation, but are of less
significance than obtaining the aid and support of the board of directors. Option D is a measure to secure the enterprise information, but by itself is not a measure to ensure the broader effectiveness of an information security program

Question 51

The most senior official of the enterprise who is accountable for IT advocacy, aligning IT and business
strategies, and planning, resourcing and managing the delivery of IT services, information and the
deployment of associated human resources

Answer 51

Chief information officer (CIO)

Question 52

Common path or channel between hardware devices.

Answer 52

Bus

Question 53

A statement of the desired result or purpose to be achieved by implementing control procedures in a
particular process.

Answer 53

Control objective

Question 54

A catalogue of attack patterns as “an abstraction mechanism for helping describe how an attack
against vulnerable systems or networks is executed” published by the MITRE Corporation

Answer 54

Common Attack Pattern Enumeration and Classification (CAPEC)

Question 55

The consolidation in 1998 of the “Cadbury,” “Greenbury” and “Hampel” Reports

Answer 55

Combined Code on Corporate Governance

Question 56

An outcome of effective security governance is:
A. business dependency assessment
B. strategic alignment.
C. risk assessment.
D. planning

Answer 56

Answer : B
Explanation: Business dependency assessment is a process of determining the dependency of a business on certain information resources. It is not an outcome or a product of effective security management. Strategic alignment is an outcome of effective security governance. Where there is good governance, there is likely to be strategic alignment. Risk assessment is not an outcome of effective security governance; it is a process. Planning comes at the beginning of effective security governance, and is not an outcome but a process.

Question 57

The existing description of the fundamental underlying design of the components of the business
system before entering a cycle of architecture review and redesign

Answer 57

Baseline architecture

Question 58

Any formal declaration or set of declarations about the subject matter made by management.

Answer 58

Assertion

Question 59

The means of managing risk, including policies, procedures, guidelines, practices or organizational
structures, which can be of an administrative, technical, management, or legal
nature

Answer 59

Control

Question 60

A service that connects programs running on internal networks to services on exterior networks by
creating two connections, one from the requesting client and another to the destination service

Answer 60

Application proxy

Question 61

______ is a binary-to-text encoding process that converts long bit sequences into
alphanumeric text, which is easier for users

Answer 61

Base58 Encoding

Question 62

Who is ultimately responsible for the organization’s information?
A. Data custodian
B. Chief information security officer (CISO)
C. Board of directors
D. Chief information officer (CIO)

Answer 62

Answer : C
Explanation: The board of directors is ultimately responsible for the organization’s information and is tasked with responding to issues that affect its protection. The data custodian is responsible for the maintenance and protection of data. This role is usually filled by the IT department. The chief information security officer (CISO) is responsible for security and carrying out senior management’s directives. The
chief information officer (CIO) is responsible for information technology within the organization and is not ultimately responsible for the organization’s information.

Question 63

The Committee on the Financial Aspects of Corporate Governance, set up in May 1991 by the UK
Financial Reporting Council, the London Stock Exchange and the UK accountancy profession, was
chaired by Sir Adrian Cadbury and produced a report on the subject commonly known in the UK as
the Cadbury Report.

Answer 63

Cadbury

Question 64

Correctness checks built into data processing systems and applied to batches of input data, particularly in the data preparation stage.

Answer 64

Batch control

Question 65

A proven activity or process that has been successfully used by multiple enterprises.

Answer 65

Best practices

Question 66

Formal inspection and verification to check whether a standard or set of guidelines is being followed,
records are accurate, or efficiency and effectiveness targets are being met

Answer 66

Audit

Question 67

Automatic or manual process designed and established to continue critical business processes from
point-of-failure to return-to-normal.

Answer 67

Alternate process

Question 68

A process to determine the impact of losing the support of any resource.

Answer 68

Business impact analysis

Question 69

Adherence to, and the ability to demonstrate adherence to, mandated requirements defined by laws
and regulations, as well as voluntary requirements resulting from contractual obligations and internal
policies

Answer 69

Compliance

Question 70

A recovery strategy that involves two active sites, each capable of taking over the other’s workload in
the event of a disaster.

Answer 70

Active recovery site (Mirrored)

Question 71

A legal principle regarding the validity and integrity of evidence. It requires accountability for
anything that will be used as evidence in a legal proceeding to ensure that it can be accounted for
from the time it was collected until the time it is presented in a court of
law

Answer 71

Chain of custody

Question 72

The net effect, positive or negative, on the achievement of business objectives.

Answer 72

Business impact

Question 73

Senior management commitment and support for information security can BEST be obtained through presentations that:
A. use illustrative examples of successful attacks.
B. explain the technical risks to the organization.
C. evaluate the organization against best security practices.
D. tie security risks to key business objectives.

Answer 73

Answer : D
Explanation: Senior management seeks to understand the business justification for investing in security. This can best be accomplished by tying security to key business objectives. Senior management will not be as interested in technical risks or examples of successful attacks if they are not tied to the impact on business environment and objectives. Industry best practices are important to senior management but, again, senior management will give them the right level of importance when they are presented in terms of key business objectives.

Question 74

Description of the fundamental underlying design of the components of the business system, or of
one element of the business system (e.g., technology), the relationships among them, and the
manner in which they support enterprise objectives.

Answer 74

Architecture

Question 75

Provides centralized access control for managing remote access dial-up services

Answer 75

Access server

Question 76

A type of malicious exploit of a web site whereby unauthorized commands are transmitted from a
user that the web site trusts (also known as a one-click attack or session riding); acronym pronounced
“sea-surf”.

Answer 76

Cross-site request forgery (CSRF)

Question 77

Most implementations of asymmetric ciphers combine a widely distributed public key and a closely held, protected private key.

Answer 77

Asymmetric cipher

Question 78

Method to select a portion of a population based on the presence or absence of a certain
characteristic

Answer 78

Attribute sampling

Question 79

A process of identifying resources critical to the operation of a business process.

Answer 79

Business dependency assessment

Question 80

Any event, whether anticipated (i.e., public service strike) or unanticipated (i.e., blackout) that
disrupts the normal course of business operations at an enterprise.

Answer 80

Business interruption

Question 81

A document approved by those charged with governance that defines the purpose, authority and
responsibility of the internal audit activity

Answer 81

Audit Charter

Question 82

A term derived from “robot network;” is a large automated and distributed network of previously
compromised computers that can be simultaneously controlled to launch large-scale attacks such as a
denial-of-service attack on selected victims

Answer 82

Botnet

Question 83

A probable situation with uncertain frequency and magnitude of loss (or gain).

Answer 83

Business Risk

Question 84

An instrument for checking the continued validity of the certificates for which the certification
authority (CA) has responsibility

Answer 84

Certificate revocation list (CRL)

Question 85

The MOST complete business case for security solutions is one that.
A. includes appropriate justification.
B. explains the current risk profile.
C. details regulatory requirements.
D. identifies incidents and losses

Answer 85

Answer : A
Explanation: Management is primarily interested in security solutions that can address risks in the most cost-effective way. To address the needs of an organization, a business case should address appropriate security solutions in line with the organizational strategy.

Question 86

The rules, procedures and practices dealing with operational effectiveness, efficiency and adherence
to regulations and management policies.

Answer 86

Administrative control

Question 87

A class of algorithms that repeatedly try all possible combinations until a solution is found.

Answer 87

Brute force

Question 88

Component of an infrastructure-or an item, such as a request for change, associated with an infrastructure-which is (or is to be) under the control of configuration
management

Answer 88

Configuration Item (CI)

Question 89

A further development of the business goals into tactical targets and desired results and outcomes.

Answer 89

Business objective

Question 90

The art of designing, analyzing and attacking cryptographic schemes

Answer 90

Cryptography

Question 91

Measure of interconnectivity among structure of software programs. Coupling depends on the
interface complexity between modules.

Answer 91

Coupling

Question 92

The method used to identify the location of a participant in a network.

Answer 92

Addressing

Question 93

The main actions taken to operate the COBIT process.

Answer 93

Activity

Question 94

Interfaces at the physical layer of the open systems interconnection (OSI) reference model, data
terminal equipment (DTE) to data circuit terminating equipment (DCE), for switched carrier networks

Answer 94

Channel service unit/digital service unit (CSU/DSU)

Question 95

A plan used by an enterprise or business unit to respond to a specific systems failure or disruption

Answer 95

Contingency Plan

Question 96

A means of regaining access to a compromised system by installing software or configuring existing
software to enable remote access under attacker-defined conditions

Answer 96

Backdoor

Question 97

Testing an application with large quantities of data to evaluate its performance during peak periods.
Also called volume testing.

Answer 97

Capacity Stress Testing

Question 98

A type of injection, in which malicious scripts are injected into otherwise benign and trusted web
sites

Answer 98

Cross-site scripting (XSS)

Question 99

The point in an emergency procedure when the elapsed time passes a threshold and the interruption
is not resolved.

Answer 99

Alert situation

Question 100

The maximum period of time that a system can be unavailable before compromising the achievement of the enterprise’s business objective

Answer 100

Acceptable interruption window

Question 101

The boundary defining the scope of control authority for an entity

Answer 101

Control perimeter

Question 102

Preserving authorized restrictions on access and disclosure, including means for protecting privacy
and proprietary information.

Answer 102

Confidentiality

Question 103

The PRIMARY benefit of performing an information asset classification is to:
A. link security requirements to business objectives.
B. identify controls commensurate to risk.
C. define access rights.
D. establish ownership

Answer 103

Answer : B
Explanation: All choices are benefits of information classification. However, identifying controls that are proportional to the risk in all cases is the primary benefit of the process

Question 104

Documentation of the rationale for making a business investment, used both to support a business decision on whether to proceed with the investment and as an operational tool to support management of the investment through its full economic life cycle

Answer 104

Business case

Question 105

A test that has been designed to evaluate the performance of a system

Answer 105

Benchmark

Question 106

Unusual or statistically rare.

Answer 106

Anomaly

Question 107

A recurring journal entry used to allocate revenues or costs

Answer 107

Allocation entry

Question 108

A distributed, protected journaling and ledger system. Use of blockchain technologies can enable
anything from digital currency (e.g. Bitcoin) to any other value-bearning transaction.

Answer 108

Blockchain

Question 109

The control of changes to a set of configuration items over a system life cycle.

Answer 109

Configuration Management

Question 110

Data that is not encrypted. Also known as plaintext

Answer 110

Cleartext

Question 111

A plan containing the nature, timing and extent of audit procedures to be performed by
engagement team members in order to obtain sufficient appropriate audit evidence to form an
opinion.

Answer 111

Audit Plan

Question 112

The risk that a material error exists that would not be prevented or detected on a timely basis by the
system of internal controls

Answer 112

Control Risk

Question 113

A policy that establishes an agreement between users and the enterprise and defines for all parties the range of use that are approved before gaining access to a network or the internet

Answer 113

Acceptable Use Policy

Question 114

Contains the essential elements of effective processes for one or more disciplines.It also describes
an evolutionary improvement path from ad hoc, immature processes to disciplined, mature processes
with improved quality and effectiveness

Answer 114

Capability Maturity Model (CMM)

Question 115

In the Open Systems Interconnection (OSI) communications model, the application layer provides
services for an application program to ensure that effective communication with another application
program in a network is possible

Answer 115

Application layer

Question 116

Responsible for coordinating the planning, development, implementation, maintenance and
monitoring of the information security program.

Answer 116

Corporate Security Officer (CSO)

Question 117

The permission or privileges granted to users, programs or workstations to create, change, delete or
view data and files within a system, as defined by rules established by data owners and the
information security policy.

Answer 117

Access rights

Question 118

Nonstop service, with no lapse in service; the highest level of service in which no downtime is
allowed.

Answer 118

Continuous availability

Question 119

A standardized body of data created for testing purposes.

Answer 119

Base case

Question 120

An adversary that possesses sophisticated levels of expertise and significant resources which allow it
to create opportunities to achieve its objectives using multiple attack vectors (NIST SP800-
61).

Answer 120

Advanced persistent threat (APT)

Question 121

The senior executive responsible for managing the day-to-day operations of a company or other institution.

Answer 121

Chief Operating Officer (COO)

Question 122

An application service provider (ASP) that also provides outsourcing of business processes such as
payment processing, sales order processing and application development.

Answer 122

Business service provider (BSP)

Question 123

Reduction of signal strength during transmission

Answer 123

Attenuation

Question 124

______ is now used only as the acronym in its fifth iteration. A complete, internationally accepted framework for governing and managing enterprise information and technology (IT) that supports enterprise
executives and management in their definition and achievement of business goals and related IT
goals. _____ describes five principles and seven enablers that support enterprises in the
development, implementation, and continuous improvement and monitoring of good IT-related
governance and management practices

Answer 124

COBIT

Question 125

The ability to map a given activity or event back to the responsible party

Answer 125

Accountability

Question 126

The logical route that an end user takes to access computerized
information.<br></br><br></br><strong>Scope Notes: </strong>Typically includes a route through the
operating system, telecommunications software, selected application software and the access control
system.

Answer 126

Access path

Question 127

The range between the highest and lowest transmittable frequencies. It equates to the transmission capacity of an electronic line and is expressed in bytes per second or Hertz (cycles per second).

Answer 127

Bandwidth

Question 128

Locations and infrastructures from which emergency or backup processes are executed, when the
main premises are unavailable or destroyed.

Answer 128

Alternate facilities

Question 129

A software package that automatically plays, displays or downloads advertising material to a
computer after the software is installed on it or while the application is being
used.

Answer 129

Adware

Question 130

A holistic and business-oriented model that supports enterprise governance and management
information security, and provides a common language for information security professionals and
business management.

Answer 130

Business Model for Information Security (BMIS)

Question 131

Actions taken to limit exposure after an incident has been identified and confirmed

Answer 131

Containment

Question 132

A message kept in the web browser for the purpose of identifying users and possibly preparing
customized web pages for them

Answer 132

Cookie

Question 133

The individual who focuses on technical issues in an enterprise

Answer 133

Chief technology officer (CTO)

Question 134

The number of distinct locations that may be referred to with the machine address.

Answer 134

Address space

Question 135

A discussion document that sets out an “enterprise governance model” focusing strongly on both the
enterprise business goals and the information technology enablers that facilitate good enterprise
governance, published by the Information Systems Audit and Control Foundation in 1999.

Answer 135

Control Objectives for Enterprise Governance

Question 136

The PRIMARY concern of an information security manager documenting a formal data retention policy would be:
A. generally accepted industry best practices.
B. business requirements.
C. legislative and regulatory requirements.
D. storage availability.

Answer 136

Answer : B
Explanation: The primary concern will be to comply with legislation and regulation but only if this is a genuine business requirement. Best practices may be a useful guide but not a primary concern. Legislative and regulatory requirements are only relevant if compliance is a business need. Storage is irrelevant since whatever is needed must be provided

Question 137

A code whose representation is limited to 0 and 1.

Answer 137

Binary code

Question 138

Information generated by an encryption algorithm to protect the plaintext and that is unintelligible to
the unauthorized reader.

Answer 138

Ciphertext

Question 139

_______ is a process of determining the dependency of a business on certain information resources.

Answer 139

Business dependency assessment

Question 140

An investigator of activities related to computer crime.

Answer 140

Cybercop

Question 141

The person usually responsible for all security matters both physical and digital in an enterprise

Answer 141

Chief Information Security Officer (CSO)

Question 142

An expenditure that is recorded as an asset because it is expected to benefit more than the current
period. The asset is then depreciated or amortized over the expected useful life of the asset

Answer 142

Capital expenditure/expense (CAPEX)

Question 143

A response in which the system either automatically, or in concert with the user, blocks or otherwise
affects the progress of a detected attack.

Answer 143

Active response

Question 144

Activities conducted in the name of security, business, politics or technology to find information that
ought to remain secret. It is not inherently military.

Answer 144

Cyberespionage

Question 145

The calendar can contain “real” accounting periods and/or adjusting accounting periods. The “real”
accounting periods must not overlap and cannot have any gaps between them. Adjusting accounting
periods can overlap with other accounting periods.

Answer 145

Adjusting period

Question 146

The individual responsible for identifying process requirements, approving process design and
managing process performance.

Answer 146

Business Process Owner

Question 147

Within computer storage, the code used to designate the location of a specific piece of data

Answer 147

Address

Question 148

System heavily fortified against attacks

Answer 148

Bastion

Question 149

A holistic and proactive approach to managing the transition from a current to a desired
organizational state, focusing specifically on the critical human or “soft” elements of
change

Answer 149

Change management

Question 150

A group of people integrated at the enterprise with clear lines of reporting and responsibilities for
standby support in case of an information systems emergency.This group will act as an efficient
corrective control, and should also act as a single point of contact for all incidents and issues related
to information systems.

Answer 150

Computer emergency response team (CERT)

Question 151

A plan used by an enterprise to respond to disruption of critical business processes. Depends on the
contingency plan for restoration of critical systems.

Answer 151

Business continuity plan (BCP)

Question 152

Occurs when a program or process tries to store more data in a buffer (temporary data storage area) than it was intended to hold.

Answer 152

Buffer overflow

Question 153

The PRIMARY benefit of performing an information asset classification is to:
A. link security requirements to business objectives.
B. identify controls commensurate to risk.
C. define access rights.
D. establish ownership

Answer 153

Answer : B
Explanation: All choices are benefits of information classification. However, identifying controls that are proportional to the risk in all cases is the primary benefit of the process

Question 154

A transmission signal that varies continuously in amplitude and time and is generated in wave
formation.

Answer 154

Analog

Question 155

The act of verifying identity, i.e., user, system.

Answer 155

Authentication

Question 156

A technique of reading a computer file while bypassing the internal file/data set label. This process
could result in bypassing of the security access control system.

Answer 156

Bypass label processing (BLP)

Question 157

The person in charge of information security within the enterprise

Answer 157

Chief Information Security Officer (CISO)

Question 158

Members of the operations area who are responsible for the collection, logging and submission of
input for the various user groups.

Answer 158

Control Group

Question 159

Memory reserved to temporarily hold data to offset differences between the operating speeds of
different devices, such as a printer and a computer.

Answer 159

Buffer

Question 160

Which of the following devices could potentially stop a Structured Query Language (SQL) injection attack?
A. An intrusion prevention system (IPS)
B. An intrusion detection system (IDS)
C. A host-based intrusion detection system (HIDS)
D. A host-based firewall

Answer 160

Answer : A
Explanation: SQL injection attacks occur at the application layer. Most IPS vendors will detect at least basic sets of SQL injection and will be able to stop them. IDS will detect, but not prevent I IIDS will be unaware of SQL injection problems. A host-based firewall, be it on the web server or the database server, will allow the connection because firewalls do not check packets at an application layer.

Question 161

The recovery point objective (RPO) requires which of the following?
A. Disaster declaration
B. Before-image restoration
C. System restoration
D. After-image processing

Answer 161

Answer : B
Explanation: The recovery point objective (RPO) is the point in the processing flow at which system recovery should occur. This is the predetermined state of the application processing and data used to restore the system and to continue the processing flow. Disaster declaration is independent of this processing checkpoint. Restoration of the system can occur at a later date, as does the return to normal, after-image processing.

Question 162

A new regulation for safeguarding information processed by a specific type of transaction has come to the attention of an information security officer. The officer should FIRST:
A. meet with stakeholders to decide how to comply.
B. analyze key risks in the compliance process.
C. assess whether existing controls meet the regulation.
D. update the existing security/privacy policy.

Answer 162

Answer : C
Explanation: If the organization is in compliance through existing controls, the need to perform other work related to the regulation is not a priority. The other choices are appropriate and important; however, they are actions that are subsequent and will depend on whether there is an existing control gap.

Question 163

Which of the following controls is MOST effective in providing reasonable assurance of physical access compliance to an unmanned server room controlled with biometric devices?
A. Regular review of access control lists
B. Security guard escort of visitors
C. Visitor registry log at the door
D. A biometric coupled with a PIN

Answer 163

Answer : A
Explanation: A review of access control lists is a detective control that will enable an information security manager to ensure that authorized persons are entering in compliance with corporate policy. Visitors accompanied by a guard will also provide assurance but may not be cost effective. A visitor registry is the next cost-effective control. A biometric coupled with a PIN will strengthen the access control; however, compliance assurance logs will still have to be reviewed

Question 164

Who is responsible for ensuring that information is categorized and that specific protective measures are taken?
A. The security officer
B. Senior management
C. The end user
D. The custodian

Answer 164

Answer : B
Explanation: Routine administration of all aspects of security is delegated, but top management must retain overall responsibility. The security officer supports and implements information security for senior management. The end user does not perform categorization. The custodian supports and implements information security measures as directed.

Question 165

An organization’s information security manager has been asked to hire a consultant to help assess the maturity level of the organization’s information security management. The MOST important element of the request for proposal (RIP) is the:
A. references from other organizations.
B. past experience of the engagement team.
C. sample deliverable.
D. methodology used in the assessment

Answer 165

Answer : D
Explanation: Methodology illustrates the process and formulates the basis to align expectations and the execution of the assessment. This also provides a picture of what is required of all parties involved in the assessment. References from other organizations are important, but not as important as the methodology used in the assessment. Past experience of the engagement team is not as important as the methodology used. Sample deliverable s only tell how the assessment is presented, not the process.

Question 166

Which of the following is the MOST appropriate frequency for updating antivirus signature files for antivirus software on production servers?
A. Daily
B. Weekly
C. Concurrently with O/S patch updates
D. During scheduled change control updates

Answer 166

Answer : A
Explanation: New viruses are being introduced almost daily. The effectiveness of virus detection software depends on frequent updates to its virus signatures, which are stored on antivirus signature files so updates may be carried out several times during the day. At a minimum, daily updating should occur. Patches may occur less frequently. Weekly updates may potentially allow new viruses to infect the system.

Question 167

Which of the following would be the MOST significant security risk in a pharmaceutical institution?
A. Compromised customer information
B. Unavailability of online transactions
C. Theft of security tokens
D. Theft of a Research and Development laptop

Answer 167

Answer : D
Explanation: The research and development department is usually the most sensitive area of the pharmaceutical organization, Theft of a laptop from this area could result in the disclosure of sensitive formulas and other intellectual property which could represent the greatest security breach. A pharmaceutical organization does not normally have direct contact with end customers and their transactions are not time critical: therefore, compromised customer information and unavailability of online transactions are not the most significant security risks. Theft of security tokens would not be as significant since a pin would still be required for their use.

Question 168

Who should be responsible for enforcing access rights to application data?

a. Data Owners
b. Business process owners
c. The security steering committee
d. Security Administrators

Answer 168

Answer: D
As custodians, security administrators are responsible for enforcing access rights to data. Data owners are responsible for
approving these access rights. Business process owners are sometimes the data owners as well, and would not be responsible for enforcement. The security steering committee would not be responsible for enforcement